SSH v1 vs. SSHv2

I have a scanning product that says that a server has the SSHv1 protocol on and an administrator that says their testing via SSH from another AIX box shows that it isn't. I am going to look at the /sshd_config, but is there another way to break this tie?

Popular White Paper On This Topic

Typicially default configuration for the server is to listen to both SSHv1 and SSHv2 connections. Hence the report from your scanning tool. It is also possible to configure SSH client to use SSHv2 only. As your administrator states.

The best way to break the tie is configure the server to only listen for SSHv2 protocol which is more secure.

A lot of times the scanning product just looks into the config files and
if it sees #Protocol 1 (even with a comment) it flags that as a
vulnerability. Even of ssh -1 /servername /disallows the action.

SSH version 1 needs to be disabled.
On the box in question:
ssh -1 localhost
If version 1 is permitted, you'll get a connection.
If version 1 is not permitted, you won't.
Like this:
boxw02: ssh -1 localhost
Protocol major versions differ: 1 vs. 2
boxw02:

Thanks everyone for assisting.
I have a copy of the config file, and it doesn't list protocal 1 for SSH.
In addition, my scanner says the same thing whether it logs in or not - so clearly it thinks that based upon external connection.
I am beginning to wonder if the administrator didn't restart the service after modifying the config file, so he and I are both right.
He does have a point. If I connect to this particular box from an AIX box, the connection dialog says SSH2; when I connect to another box, the first thing it says is SSH1.

Independent of how its configured, you can determine if the system will
allow SSH v1 by keying in:
ssh -1 userX@localhost
If it refuses, then SSH V1 is disabled.
Config files express intention, but tests confirm service!
soslxXXX: ssh -1 asdasd@localhost
Protocol major versions differ: 1 vs. 2
soslxXXX: